Home server network positioning and security

go6ko

n00b
Joined
Dec 24, 2021
Messages
2
Hello Guys,

First of all, Happy Holidays, I hope you are all well!

I'm about to install an Ubuntu home server in my house to host some game servers and an Apache server.
My ISP will provide static address for me, so I do not need to worry about DDNS configuration.

The problem is that I'm really concerned about the security. I will change some of the usual stuff like SSH ports, will also install fail2ban, and make sure that I only open ports I really need to public.
But I can't figure out what would be the best way to position the server and change my home network configuration. I really want to do my best to keep everyone in the LAN safe, (I already know that this is really hard given the fact that I use cheap TP-link router). I really think that the server can handle WAN stuff better, so I was thinking about WAN > Server > Router. The server already has 2 network cards, so I can forward the traffic to the other one and attach my home router there. However, I'm willing to sacrifice WAN stability to achieve better security and put the server behind my router - WAN > Router > Server.

Thinking about both options, aren't they the same? In both ways all LAN clients in my home network will be behind the router that has some firewall stuff built in.
I will greatly appreciate your opinions and ideas on this.

Thank you very much!
 
Does TP-link have the ability to do two networks? Either physical lan ports or vlans. One for server and one for other devices in your house?
 
Who are you hosting game servers for?
Who are you hosting Apache for and what will it be used for?
How is your linux knowledge, especially around hardening?
Changing ports doesn't really do anything positive at all from a security standpoint. As soon as you put this thing on the internet, it's going to get port scanned for any open and responding port.

I'd absolutely not put it directly on the wire to WAN in any circumstances. I'm not even sure what you are trying to say with "really think the server can handle WAN stuff better"... unless you're pushing an absolute ton of bandwidth or pps, you likely don't need to worry about your router not being able to handle the traffic.
 
Thank you guys.

Yes TP-link will support 2 networks with openwrt.

I'm hosting the game servers for myself and my friends. The apache will be used for our website (wordpress). Let's say I'm 3/10 when it comes to hardening.

So, what is your suggestion, to put the server behind the router and forward the ports that I need?
 
Thank you guys.

Yes TP-link will support 2 networks with openwrt.

I'm hosting the game servers for myself and my friends. The apache will be used for our website (wordpress). Let's say I'm 3/10 when it comes to hardening.

So, what is your suggestion, to put the server behind the router and forward the ports that I need?
For SSH, either setup a VPN, or setup ssh keys as the only allowed login method. No need to change away from port 22. I'd lean towards VPN here, but, choice is yours.

If it's just a few friends... I'd spin up a VPN (Tailscale makes it SUPER freaking easy, but openvpn and wireguiard are also pretty simple). Have that be how everyone connects to it. Semi annoying, but, safest bet.

If you have a lot of friends doing it, then you'll want to read up on each individual game you're hosting and see if they have a server hardening guide. Most probably wont and you'll be stuck guessing. You can just install the game(s) and forward ports, but, that's risky without knowing what is going on underneath (and if there's any unpublished vulns, default creds, etc).

Hosting apache is fine and pretty well known, tons of articles on how to do that safely. One misstep and it'll get pwned so gotta be thorough and careful. Do all your install, setup, and hardening before putting it on the wire. Wordpress means some sort of DB backend, which again, means more reading and hardening of that.
 
Do not runa wordpress site on the open internet, run an NGINX reverse proxy at a MIN infront of it, Wordpress, more so the plugins, are so insecure and the cause of 99% of all exploits that get into WP and once they are into WP, they could get into your network. A reverse proxy lets you at least secure things that much more, and cache things which lowers load on your webserver. In general, I always recommend NGINX over Apache for everything, more secure, better with php and many other benefits of it.

VLANs if possible, but now you want smart switches.

honestly you could buy webhosting for a wordpress site for like $5 a month and not have to worry about this.

Also, what is your upload speed? because that is what matters for running game servers.

I think most of us have all gone through this, we want to host everything on our network cause it will be cool, the experience is great, but maintaining it becomes a pain in the butt and thus, paying $20 a month for hosting just makes life easier.
 
I think most of us have all gone through this, we want to host everything on our network cause it will be cool, the experience is great, but maintaining it becomes a pain in the butt and thus, paying $20 a month for hosting just makes life easier.
No joke! It can be a good learning experience as well, especially if it can be applied to someone's career. I'd personally just toss up something on Azure or AWS and call it done, but there's so many options for hosting sites and games.
 
Back
Top